strongSwan

h1. IKEv1 Cipher Suites

The keywords listed below can be used with the _ike_ and _esp_ directives in [[IpsecConf|ipsec.conf]] to define cipher suites.

IANA provides a "complete list of algorithm identifiers for IKEv1":https://www.iana.org/assignments/isakmp-registry.

h2. Encryption Algorithms

|_<. Keyword                     |_<. Description                       |_.IANA |_.IKE  |_.ESP|_. Built-in Plugins|

|*null*                          |Null encryption                       |=.11   |       |=.k  ||

|*aes128* or *aes*               |128 bit AES-CBC                       |/3=.7  |x o g a|=.k  |aes|

|*aes192*                        |192 bit AES-CBC                               |x o g a|=.k  |aes|

|*aes256*                        |256 bit AES-CBC                               |x o g a|=.k  |aes|

|*aes128ctr*                     |128 bit AES-COUNTER                   |/3=.13 |       |=.k  ||

|*aes192ctr*                     |192 bit AES-COUNTER                           |       |=.k  ||

|*aes256ctr*                     |256 bit AES-COUNTER                           |       |=.k  ||

|*aes128ccm8*  or *aes128ccm64*  |128 bit AES-CCM with  64 bit ICV      |/3=.14 |       |=.k  ||

|*aes192ccm8*  or *aes192ccm64*  |192 bit AES-CCM with  64 bit ICV              |       |=.k  ||

|*aes256ccm8*  or *aes256ccm64*  |256 bit AES-CCM with  64 bit ICV              |       |=.k  ||

|*aes128ccm12* or *aes128ccm96*  |128 bit AES-CCM with  96 bit ICV      |/3=.15 |       |=.k  ||

|*aes192ccm12* or *aes192ccm96*  |192 bit AES-CCM with  96 bit ICV              |       |=.k  ||

|*aes256ccm12* or *aes256ccm96*  |256 bit AES-CCM with  96 bit ICV              |       |=.k  ||

|*aes128ccm16* or *aes128ccm128* |128 bit AES-CCM with 128 bit ICV      |/3=.16 |       |=.k  ||

|*aes192ccm16* or *aes192ccm128* |192 bit AES-CCM with 128 bit ICV              |       |=.k  ||

|*aes256ccm16* or *aes256ccm128* |256 bit AES-CCM with 128 bit ICV              |       |=.k  ||

|*aes128gcm8*  or *aes128gcm64*  |128 bit AES-GCM with  64 bit ICV      |/3=.18 |       |=.k  ||

|*aes192gcm8*  or *aes192gcm64*  |192 bit AES-GCM with  64 bit ICV              |       |=.k  ||

|*aes256gcm8*  or *aes256gcm64*  |256 bit AES-GCM with  64 bit ICV              |       |=.k  ||

|*aes128gcm12* or *aes128gcm96*  |128 bit AES-GCM with  96 bit ICV      |/3=.19 |       |=.k  ||

|*aes192gcm12* or *aes192gcm96*  |192 bit AES-GCM with  96 bit ICV              |       |=.k  ||

|*aes256gcm12* or *aes256gcm96*  |256 bit AES-GCM with  96 bit ICV              |       |=.k  ||

|*aes128gcm16* or *aes128gcm128* |128 bit AES-GCM with 128 bit ICV      |/3=.20 |       |=.k  ||

|*aes192gcm16* or *aes192gcm128* |192 bit AES-GCM with 128 bit ICV              |       |=.k  ||

|*aes256gcm16* or *aes256gcm128* |256 bit AES-GCM with 128 bit ICV              |       |=.k  ||

|*aes128gmac*                    |Null encryption with 128 bit AES-GMAC |/3=.23 |       |=.k  ||

|*aes192gmac*                    |Null encryption with 192 bit AES-GMAC         |       |=.k  ||

|*aes256gmac*                    |Null encryption with 256 bit AES-GMAC         |       |=.k  ||

|*3des*                          |168 bit 3DES-EDE-CBC                  |=.5    |x o g a|=.k  |des|

|*blowfish128* or *blowfish*     |128 bit Blowfish-CBC                  |/3=.3  |x o g a|=.k  |blowfish|

|*blowfish192*                   |192 bit Blowfish-CBC                          |x o a  |=.k  |blowfish|

|*blowfish256*                   |256 bit Blowfish-CBC                          |x o a  |=.k  |blowfish|

|*camellia128* or *camellia*     |128 bit Camellia-CBC                  |/3=.8  |       |=.k  ||

|*camellia192*                   |192 bit Camellia-CBC                          |       |=.k  ||

|*camellia256*                   |256 bit Camellia-CBC                          |       |=.k  ||

|*serpent128* or *serpent*       |128 bit Serpent-CBC                   |/3=.252|>.g a  |=.k  ||

|*serpent192*                    |192 bit Serpent-CBC                           |>.g a  |=.k  ||

|*serpent256*                    |256 bit Serpent-CBC                           |>.g a  |=.k  ||

|*twofish128* or *twofish*       |128 bit Twofish-CBC                   |/3=.253|>.g a  |=.k  ||

|*twofish192*                    |192 bit Twofish-CBC                           |>.  a  |=.k  ||

|*twofish256*                    |256 bit Twofish-CBC                           |>.g a  |=.k  ||

|\6(level2). IKE support|

|\6(level3).*x* default built-in crypto plugin(s) (see separate column)

*o* OpenSSL crypto library (_openssl_ plugin)

*g* Gcrypt crypto library (_gcrypt_ plugin)

*a* AF_ALG userland crypto API for Linux 2.6.38 kernel or newer (_af-alg_ plugin)|

|\6(level2). ESP support|

|\6(level3).*k* Linux 2.6+ kernel|

h2. Integrity Algorithms

|_<. Keyword                  |_<. Description   |_.IANA|_=.IKE   |_=.ESP/AH|_.Length |_.Built-in Plugins|

|*md5*                        |MD5 HMAC          |=.1   |=. x o a |=.k      |>. 96 bit|md5, hmac |

|*sha1* or *sha*              |SHA1 HMAC         |=.2   |=. x o a |=.k      |>. 96 bit|sha1, hmac|

|*sha256* or *sha2_256*       |SHA2_256_128 HMAC |=.5   |=. x o a |=.n      |>.128 bit|sha2, hmac|

|*sha384* or *sha2_384*       |SHA2_384_192 HMAC |=.6   |=. x o a |=.k      |>.192 bit|sha2, hmac|

|*sha512* or *sha2_512*       |SHA2_512_256 HMAC |=.7   |=. x o a |=.k      |>.256 bit|sha2, hmac|

|*sha256_96* or *sha2_256_96* |SHA2_256_96  HMAC |=.p   |=.       |=.n      |>. 96 bit|          |

|*aesxcbc*                    |AES XCBC          |=.9   |=.       |=.k      |>. 96 bit|          |

|*aes128gmac*                 |128-bit AES-GMAC  |=.11  |=.       |=.q      |>.128 bit|          |

|*aes192gmac*                 |192-bit AES-GMAC  |=.12  |=.       |=.q      |>.128 bit|          |

|*aes256gmac*                 |256-bit AES-GMAC  |=.13  |=.       |=.q      |>.128 bit|          |

|\7(level2). IKE support|

|\7(level3). *x* default built-in crypto plugin(s) (see separate column)

*o* OpenSSL crypto library (_openssl_ plugin)

*a* AF_ALG userland crypto API for Linux 2.6.38 kernel or newer (_af-alg_ plugin)

It's also possible to use the hash implementations provided by the _gcrypt_ or _openssl_ plugin together with the _hmac_ plugin.|

|\7(level2). ESP/AH support|

|\7(level3). *k* Linux 2.6+ kernel

*q* for AH, AES-GMAC is negotiated as encryption algorithm for ESP

*n* before version 2.6.33 the Linux kernel incorrectly used 96 bit truncation for SHA-256, _sha256_96_ is only supported for compatibility with such kernels

*p* strongSwan uses the value 252 from the IANA private use range|

h2. Diffie Hellman Groups

|_.Keyword      |_.DH Group|_.Modulus   |_.Subgroup |_.IKE|

|\5(level2). Regular Groups                               |

|*modp768*      |=.  1     |>.768 bits  |           |m o g|

|*modp1024*     |=.  2     |>.1024 bits |           |m o g|

|*modp1536*     |=.  5     |>.1536 bits |           |m o g|

|*modp2048*     |=. 14     |>.2048 bits |           |m o g|

|*modp3072*     |=. 15     |>.3072 bits |           |m o g|

|*modp4096*     |=. 16     |>.4096 bits |           |m o g|

|*modp6144*     |=. 17     |>.6144 bits |           |m o g|

|*modp8192*     |=. 18     |>.8192 bits |           |m o g|

|\5(level2). Modulo Prime Groups with Prime Order Subgroup|

|*modp1024s160* |=. 22     |>.1024 bits |>.160 bits |m o g|

|*modp2048s224* |=. 23     |>.2048 bits |>.224 bits |m o g|

|*modp2048s256* |=. 24     |>.2048 bits |>.256 bits |m o g|

|\5(level2). NIST Elliptic Curve Groups                   |

|*ecp192*       |=. 25     |>.192 bits  |           |=.o  |

|*ecp224*       |=. 26     |>.224 bits  |           |=.o  |

|*ecp256*       |=. 19     |>.256 bits  |           |=.o  |

|*ecp384*       |=. 20     |>.384 bits  |           |=.o  |

|*ecp521*       |=. 21     |>.521 bits  |           |=.o  |

|\5(level2). Brainpool Elliptic Curve Groups              |

|*ecp224bp*     |=. 27     |>.224 bits  |           |=.o  |

|*ecp256bp*     |=. 28     |>.256 bits  |           |=.o  |

|*ecp384bp*     |=. 29     |>.384 bits  |           |=.o  |

|*ecp512bp*     |=. 30     |>.512 bits  |           |=.o  |

|\5(level2). IKE support|

|\5(level3). *m* GMP multi-precision library (_gmp_ plugin)

*o* OpenSSL crypto library (_openssl_ plugin)

*g* Gcrypt crypto library (_gcrypt_ plugin)|

h3. Post-Quantum Key Exchange using NTRU Encryption

|Keyword    |DH Group |Strength   |IKE |

|*ntru112*  |=. 1030  |>.112 bits |=.n |

|*ntru128*  |=. 1031  |>.128 bits |=.n |

|*ntru192*  |=. 1032  |>.192 bits |=.n |

|*ntru256*  |=. 1033  |>.256 bits |=.n |

|\4(level2). IKE support|

|\4(level3). *n* _ntru_ plugin (includes "ntru-crypto":https://github.com/NTRUOpenSourceProject/ntru-crypto library)|

Since the Diffie-Hellman Group Transform IDs 1030..1033 selected by the strongSwan project to designate the four NTRU key exchange strengths were taken from the private-use range, the strongSwan vendor ID *must* be sent by the charon daemon. This can be enabled by the following statement in /etc/strongswan.conf:

<pre>

charon {

  send_vendor_id = yes

}

</pre>